-----BEGIN PGP SIGNED MESSAGE-----
Subject: Caldera Security Advisory SA-1997.19: Vulnerabilities in NetKit-B
Caldera Security Advisory SA-1997.19
RPM build date: 26-Jul-1997 (for netkit-base)
Advisory issue date: 22-Sep-1997
Topic: Vulnerabilities in NetKit-B
I. Problem Description
There are several vulnerabilities in the network tools from
the NetKit-B package.
rshd, rlogind, and rexecd wouldn't close all file descriptors,
including that of /etc/shadow. With the right setup, any user
coming in via rsh or rlogin could thereby read /etc/shadow.
rshd/rlogind would print different messages for non-existent
users or wrong password.
rusersd had some buffer overflows.
fingerd wouldn't drop privileges if it failed to open /etc/passwd.
Mostly a theoretical problem because it's quite difficult to
create a file handle starvation, and there aren't currently any
known other problems that could be exploited.
bsd-finger-0.10 fixes a denial of service situation where
users' .plan or .project files are named pipes.
netkit-inetd-0.10 fixes an issue with group list handling that
could cause trouble if inetd were restarted from the command
line. This is presently believed to be a non-issue but it never
hurts to be careful.
netkit-inetd-0.10 fixes a denial of service problem with the
daytime port.
This release fixes a mistake in rlogind that could have
security implications (the previous version honored
hosts.equiv for root, which is contrary to the specification.)
This release also fixes a problem with the PAM support wherein
it was possible for a remote user to distinguish between
wrong passwords and nonexistent usernames.
This release fixes a problem in tftpd that tftp clients could
exploit to read any file on the system readable by the user
tftpd ran under.
II. Impact
NetKit-B was present on the following OpenLinux releases:
CND 1.0
Base 1.0
Lite 1.1
Base 1.1
Standard 1.1
To determine if you are effected and need this update you may do
the following:
rpm -q NetKit-B
If the results show that any version of NetKit-B is installed,
then you will need to update.
III. Solution
Replace NetKit-B with the netkit-0.10 packages.
They can be found on Caldera's ftp site at:
ftp://www.caldera.com/pub/openlinux/updates/1.1/current/RPMS/
and
ftp://www.caldera.com/pub/openlinux/updates/1.1/current/SRPMS/
for the sources.
The MD5 checksums (from the "md5sum" command) for these
packages are:
1137a1e04fa16170b5a56c2a4ecb965e RPMS/bsd-finger-0.10-2.i386.rpm
a7cab9168896e683cc942b8bf14d1983 RPMS/netkit-base-0.10-1.i386.rpm
499f0a5fd72c17967271a763812524f4 RPMS/netkit-bootparamd-0.10-1.i386.rpm
d14993032bf1298e6604aaacb34587f3 RPMS/netkit-ftp-0.10-2.i386.rpm
68509512b790106edb4f0331d71c1ac4 RPMS/netkit-ntalk-0.10-1.i386.rpm
a3f6d5f8172c616f623e8e86147f756a RPMS/netkit-routed-0.10-1.i386.rpm
732ac460d808877e37a10e7b56c744c6 RPMS/netkit-rsh-0.10-3.i386.rpm
e42a6d77ed1ddbc8380b6b4ecdd61613 RPMS/netkit-rusers-0.10-2.i386.rpm
9502e684e8f476dd21e05e37ecc0b1dd RPMS/netkit-rwall-0.10-3.i386.rpm
441a5b897578f7b9f46ee44f8d5df49e RPMS/netkit-rwho-0.10-1.i386.rpm
30fb248281c733309ff9a973fcd33c20 RPMS/netkit-telnet-0.10-1.i386.rpm
bb982ac6c87a745717f248e14e7f62f2 RPMS/netkit-tftp-0.10-1.i386.rpm
51bf07055ce92d7a38832289f9cf8e74 RPMS/netkit-timed-0.10-1.i386.rpm
eb0acd95225a4aa27644d9b859ea9931 SRPMS/bsd-finger-0.10-2.src.rpm
94a0d9c6f9c70b2b5ee2a0980903d772 SRPMS/netkit-base-0.10-1.src.rpm
b22471b45e999b64eeef72035ac6d69e SRPMS/netkit-bootparamd-0.10-1.src.rpm
5712584af2fb1a795a80b200789a9176 SRPMS/netkit-ftp-0.10-2.src.rpm
115f9b638058c761bb5e688c997c275b SRPMS/netkit-ntalk-0.10-1.src.rpm
85037fba6e8e8e61cae09777ac2c4ba5 SRPMS/netkit-routed-0.10-1.src.rpm
04bb9835a99840a71b2670f39a4addf5 SRPMS/netkit-rsh-0.10-3.src.rpm
d3d4cdf93934f0e0fb4476394ea69737 SRPMS/netkit-rusers-0.10-2.src.rpm
fcadb7fd9c47fd421f80f17a22750370 SRPMS/netkit-rwall-0.10-3.src.rpm
013c01c54398aa693a3319c2dadd26bb SRPMS/netkit-rwho-0.10-1.src.rpm
377726693dafd2fe03345f94b1b160e8 SRPMS/netkit-telnet-0.10-1.src.rpm
35909f6d4f96c7242c3e5297d9beec35 SRPMS/netkit-tftp-0.10-1.src.rpm
bdc9fff6f6aa2df64c2936acbc9aab29 SRPMS/netkit-timed-0.10-1.src.rpm
Since these are network applications, it is recommended that
you bring the system down to single user mode to make
the changes. Do the following:
1) Login as root from the console of the system when no other users
are logged on
2) Type 'telinit 1' (This will bring the system down to single user
mode. You will be prompted to enter the root
password for maintanance.)
3) Enter the root password and change to the directory containing
the binary RPMs.
4) Type the following:
rpm -e NetKit-B
rpm -i netkit-base-0.10-1.i386.rpm
rpm -i netkit-bootparamd-0.10-1.i386.rpm
rpm -i netkit-ftp-0.10-2.i386.rpm
rpm -i netkit-ntalk-0.10-1.i386.rpm
rpm -i netkit-routed-0.10-1.i386.rpm
rpm -i netkit-rsh-0.10-3.i386.rpm
rpm -i netkit-rusers-0.10-2.i386.rpm
rpm -i netkit-rwall-0.10-3.i386.rpm
rpm -i netkit-rwho-0.10-1.i386.rpm
rpm -i netkit-telnet-0.10-1.i386.rpm
rpm -i netkit-tftp-0.10-1.i386.rpm
rpm -i netkit-timed-0.10-1.i386.rpm
rpm -i bsd-finger-0.10-2.i386.rpm
5) Logout from the maintenance shell. (The system will
return to the default runlevel.)
Note: after netkit-base-0.10-1 is installed, you will
see the message, "Please kill and restart inetd manually."
This message is generated by the RPM.
Since you are in single user mode, inetd has already been
killed. When you logout, the system will be brought back
to the default runlevel, and inetd will start again
automatically. Hence, if you upgrade in the manner
described above, you can ignore this message.
IV. References
This and other Caldera security resources are located at:
http://www.caldera.com/tech-ref/security/
This closes Caldera's internal problem reports #552 and #803.
V. PGP Signature
This message was signed with the PGP key for .
This key can be obtained from:
ftp://ftp.caldera.com/pub/pgp-keys/
Or on an OpenLinux CDROM under:
/OpenLinux/pgp-keys/
$Id: SA-1997.19,v 1.1 1997/09/22 22:08:16 ron Exp $
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNCbsjen+9R4958LpAQHSjgP/YESA5Hu6SQwiwqcVfe8KPhb73sYrp7VH
uUiRu5uVSa8zJJ3zuVRLRHX6XmcLaxmky9Olk1t02lKE4VQ6HTcFGkUdxR+U7Muh
qVJp5ZJOj7iBZi3w8Td+hEVNBOQ3X53DWVl1g+mfNDYHZTiaESkJIKlNAZHNvTR9
QrnMExID1Ik=
=sQzW
-----END PGP SIGNATURE-----